Password Protecting a Directory on Apache and Nginx

Apache

This is pretty simple to do and there are tutorials on it all over the place. The problem is I only do it once in awhile, and forget what I did. Then, I either look up how to do it again, or someone asks me how to do it and I've got to search for a tutorial. So, I decided to put this up, primarily so I won't have to search for it next time.

Say you have a directory that you want to limit only to people who have the password. For example, you have some pictures that you only want your family to see.

We'll start by creating a sub directory under your main apache directory. This directory varies by distribution, you are looking for the DocumentRoot in your httpd.conf. In FreeBSD it defaults to /usr/local/www/apache24/data, in RedHat it's /var/www/html. At any rate, create your new directory under the DocumentRoot. So, if you use Redhat, and stick to their defaults, you'd go to /var/www/html and run mkdir images. (Referring to our earlier example, we'll have an images directory to share photos).

After it's created, cd to images and create a password for the "family" user." 
hpasswd -c (full path to images file)/.htpasswd family

So, on RedHat, if you stick to defaults it would be 
htpasswd -c /var/www/images/.htpasswd family

It will ask for the password and then have you repeat the password. So you will now have a file in /var/www/images called .htpasswd, which will have hashed password for the user family. If you need to add a second user, say friends, you repeat the command but without the -c, which is for create. So 
htpasswd /var/www/images/.htpasswd friends

Now that we have .htpasswd, we'll create an .htaccess file. First, be sure that there isn't another .htaccess file in the DocumentRoot. If there is a file there, it may affect the one you want to create.

Our aim here is to have it so that when family enters the username and password, they will see a list of the available images. Our .htaccess file will read 
AuthUserFile /var/www/images/.htpasswd
AuthGroupFile /dev/null
AuthName "family"
AuthType Basic
require valid-user
Options +Indexes

Adjust the path to .htpasswd to match your system. The user "family" doesn't have to be a user on the system, it is an arbitrary name to access the directory. The Options +Indexes is what will produce the list of files once the user has authenticated. If that line is missing, once family logs in, they'll get a 403 Forbidden.

The way around that is to have an index.html file in the images file. The index.html file will be required if you don't have the Options +Indexes line. The index.html file can be blank, though if it is, all the user will see once they log in will be a blank page. The user would be able to do something like go to www/images/image01.jpg if they know the exact URL.

In my case, for my uses, when I've passprotected a directory, I want allowed users to see the files in the directory, so I tend to use the Options +Indexes method.

Nginx

Nginx isn't that much more difficult, but has a few places where you might have problems.

Again, we'll use /var/www as the default, with a subdirectory called images. If you have apache installed you can create the password file the same way we did with apache, using htpassswd,and storing it in /var/www/images/.htpasswd.

Most distributions offer a package with htpasswd without installing apache itself. RH, for example, has httpd-tools. But if you don't want to use htpasswd you can use 
openssl passwd -apr1

It will give a prompt to type in a password, then ask you to retype. The password won't echo. Then it will show an encrypted password. You can put this with the desired username, with the format 
family: $apr1$UzdAkFcl$ww4EoZ7X8ZaqRTuxBALYY/

Or, again, assuming this is for the "family" user, to put it in one line 
echo "family"$(openssl passwd -apr1 'mypass') > /var/www/images/.htpasswd

That will actually give a result like 
family$apr1$20XFW8jz$EkeJhahDl.GZn/NIjoGSg0

so you still want to edit it so that it reads 
family: $apr1$20XFW8jz$EkeJhahDl.GZn/NIjoGSg0

It's easiest to use htpasswd, in my opinion. <shrug>

Regardless of how you create the password, next we go to configure nginx.conf. Its location will also vary, depending upon the sytsem, RH will have it in /etc/nginx, FreeBSD, in /usr/local/etc/nginx, etc.

I am asssuming you are using a site that uses a certificate, so, if using nginx, you would have a redirect portion in your nginx.conf. For example, mine reads 
return  301 https://$server_name$request_uri;

which redirects anything to my site to go to the https version. This becomes important, because if you put your authentication lines in the server block that includes the listen 80; line, it will be ignored as the inquiry will have been forwarded to the https server block.

So, the block for the main website might read, under the https server block section, (the listen 443 ssl, etc.) 
 location / {
            root   /var/www/;
           index  index.html index.htm;
        }

Under that, we can add a section for our images directory 
location /images {
           alias /var/www/images/;
           auth_basic "Restricted";
           auth_basic_user_file /var/www/images/.htpasswd;
           autoindex on;
           index off;
    }

Things to note here, are that one has to use alias before the path, rather than root. If I had root /var/www/images/ it might, after authorizing, look for /var/www/images/images/index.html. I don't remember my exact errors but two problems I ran into were using root rather than alias and not putting a slash after the path, in other words, just having /var/www/images. If I left off the slash, a visitor to the site, after authenticating, would be looking for an incorrect address. I have forgotten which caused a visitor to go to images/images,rather than just images, but both have to be correct--that is one must use alias rather than root and put a slash after the subdirectory name.

The auth_basic "Restricted" is what the visitor will see when they go to your site/images, when they see the box asking for username and password. It will show Restricted at the top. One can put whatever they want there, Restricted, You must log in, or whatever message is desired. The auth_basic_user_file points to the .htpasswd file. I'm not sure if the full path is needed, but I've always done it that way.

The last two lines have to do with the autoindex and index off lines. I have autoindex on because I want the list of images to be visible. If I just wanted the visitor to go to a main index.html page with no further information, I would leave off the autoindex line.

However, as I have put in a blank index.html file (see earlier in the article--sometimes not having an index.html file might result in a Forbidden when one goes to the site), the index off line enables the viewer to see the list of files on the site. If, for example, my index.html file just read Images for you, and I didn't have the index off line, the viewer, after authenticating, would just see the Images for you line. Having index off allows the viewer to see the entire list of files.

As said above, the main purpose of this page is to make it so that I don't have to look up how to do this each time. It is hoped that the reader will also find it useful.

(Last updated April, 2026)